Tuesday, 23 October 2012

Analysis of TDL4 (Part II)

Domains

As mentioned in the previous blog post, TDL4 has a component called CMD32/CMD64 that fetches JPEG images from the blogs specified in its configuration file. In order to recover the configurations, CMD32/CMD64 calls Init() and Uninit() functions that are implemented in the 'missing' component COM32/COM64.

Without this component and without knowing what steganography algorithm is used to conceal the text within the images, it is impossible to recover the text.

To download the COM32 component, the C&C server should be queried with a parameter mode=mod&filename=com32. Previous post explained how to encrypt this parameter. The server will also require the 'GeckaSeka' user agent, otherwise it'll ignore us.

The following parameters for wget will fetch an encrypted COM32 module from the C&C server:

The decrypted file is indeed a DLL file that exports Init() and Uninit() APIs. Without even trying to understand the steganography algorithm implemented in it, let's load it up and try to call its exports in order to decrypt the JPEG images posted into the blogs, specified in the MAIN configuration file as:

Needless to say, the COM32 Dll should always be loaded in the controlled environment (treated as a malware) as the online version of it might be updated with malicious code any time.

In order to call Init() and Uninit(), first we need to understand what parameters are expected by these functions.

As seen in the disassembled code below, the Init() function accepts 5 parameters: a pointer into JPEG buffer, its size, pointer into the address of the decoded configuration data, its returned size, and finally, a JPEG steganography password.

JPEG steganography password is recovered by decrypting the righ-hand part of the blog URL specified in the configuration (as shown above). For example, to decrypt all images from the Skylaco[censored].livejournal.com blog, the string m6dj7aA9mhQKdI8X3jy9 should be decrypted with the RC4 key #1, and then passed to the Init() function within COM32 Dll.

The Init() function will allocate memory where it will unpack the configuration. As shown on the listing below, it will then save the recovered configuration back into the memory section of the infected host process, then pass the pointer of the allocated memory buffer to Uninit() function in order to de-allocate the memory:

Applying this function over an image downloaded from one of the blogs above (the actual image below doesn't have an embedded text - it was stripped as the image was processed, the original image is available here):

reveals full configuration file that includes new C&C servers in it:

Applying this function over all JPEG images from the 2 previously mentioned blogs, allows assembling the C&C domain list below:

http://andianralway.com

http://ardchecksys.com

http://arevidenlo.com

http://asdron.com

http://aspirefotbal.com

http://atisedir.com

http://ciselwic.com

http://docietyofa.com

http://doproter.com

http://ecavesiyc.com

http://ersitycardio.com

http://farepala.com

http://healthclini.com

http://icaidspenp.com

http://lacuricub.com

http://listofvoteri.com

http://mecarinariniz.com

http://merialedilasuc.com

http://njmedicaice.com

http://nucerecat.com

http://playpitchca.com

http://ramofgrenca.com

http://rentalprope.com

http://ricardogoe.com

http://sardpuitsmea.com

http://sdhcardusba.com

http://shuttleserv.com

http://silverlakem.com

http://tilesnightc.com

http://tobenri.com

http://uclanedical.com

http://uindirected.com

http://uluniwiming.com

http://usibetsou.com

http://vaneriledcas.com

http://wacardeuse.com

http://wahinotisifatu.com

http://waoninstofnatine.com

http://washutubs.com

http://wideoexpre.com

http://wieremien.com

http://yonseiuniver.com

Once the new C&C servers go live, TDL4 will visit them and request updated configuration from them. The new configuration may specify different blogs with the different posted JPEG images, and new configuration data embedded in them, pointing into the new domains. This vicious cycle may potentially go on indefinitely. Until there is at least one live domain or one live blog, the masterminds behind the botnet have a chance to inject a new portion of the domains and blogs into this deadly whirlpool, preserving full control over the victims.